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DR COPY 

CONFIDENTIAL 


1515 Broadway, 26th Floor 
New York, NY 10036 

Attention: Mr. Peal Hefanbech, Vice President Engineering 

Reference: Revised Statement of Work for MPAA/Merdao Proposal 

Dear Mr. Heimbach: 

Merdan is pleased to provide you with our revised Statement of Work (SOW) for expert security 
support. Please find the SOW attached which provides you with Medan’s proposed ap pr oach , 
schedule, and price for performing a security vulnerability assessment of the Mmsushita/Tosinba 
Digital Video Disk product (system). 

Because time is of the essence, theta an two critical criteria that must be met in performing a 
security vulnerability analysis. The first Is that Viacom autfaorue the Merdan tank to start not 
later than Wednesday, 4 December 1 996. The second is that the DVD manufacturer technical 
representatives) attend a 5 Dece m ber 1 996 rearing at Merdan* 3 San Diego. California facility. 
It is expected that the DVD technical presentation and technical interchange meetings should 
take approximately three hours. It is imperative that the DVD representative attending the 
meeting be prepared to fully discuss foe DVD product (less non-disdosun date). Merdan 
understands the sensitive data will follow in paper form after necessary administrative protocols 
are observed. 

To facilitate the contractual process, a completed revised Task Order 002 is attached to the SOW 
for your signature and return to Merdan for final execution. If you have any questions, please 
call either Jim Ludwig or me at [800] 608*6029. 


Sincerely, 

« 

Linda R. Swilling 
Vice President, Finance 

JWSLmm 


Enclosures: Attaehment*A Statement of Wok. (Revised) 

Attachmeat-B Task Order 002 (Revised) 

MERDAN GROUP, INC. 

461 7 RUFFN6R ST. / P.O. 20X 1 70C8. 92 1 77-709S / SAN OIEGO. CA 92 1 1 1 -2280 
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Attachment-A 

MERDAN GROUP, INC 

STATEMENT OP WORK TO PROVIDE EXPERT SECURITY SUPPORT 

TO VIACOM INTERNATIONAL 
(REVISION 1) 


1J INTRODUCTION 

Tbe Modoc Picture Association of Amedeo, Inc. through VIACOM fmemartn™) decree to use 

the eupport of an independent security e ngin ee ring contractor to identify »rvj 

streogthe and vulnerabilities* in a current Matsushita/Toshibe operational Digital Video Diak 

(DVD) Product (System), in part by comparing the security of the DVD system to otber karwn 
and deployed copyright protection technologies. 


b. 


c. 


MPAA will facilitate acquisition of ail necessary nondisclosure agreements by 
Merdan and award the task to Merdan to start not later than 4 December 1 996. 
MPAA will coordinate with Matsuahita/Toahiba to 


repreaentativei at the Merdan San Diego facility not later 5 December 1996, 

Merdan will generate a report of finding* baaed on the product briefings, 

technical interchange meeting with the visiting DVD engineer, and analysis of the 
provided sensitive proprietory data from Matsushita. 


2.0 TASK DESCRIPTION 


2.1 PRESENTATION 


A minimum of two and a maximum of four Mardan sxpart security engineers and or analysts 



Califbsnia facility and listen to the system/product description p rwnf ^ 
interchange meeting with the visiting representatives will fellow the presentation. In addition, 
Madan will expect to receive appropriate system/technical data at the meeting and written 

sanative data by 12 December 1990. This initial engineering technical meeting is scheduled fer 
Thursday, 5 December 1996. 
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SECURITY ASSESSMENT AND FOLLOW-ON TECHNICAL INTERCHANGE 

Following the presentation and initial technical interchange, Mercian will perform the 
preliminary vulnerability assessment of 4a DVD product/system. In the event tiut the seed 
arises for Merrian to receive technical answer* to questions arising while performing the 
anaiyna, Mercian expacta to be able to dirootly contact appropriate designated technical staff 
from Mstsushits/TWiibe to quickly resolve the technical question^). The IbCUS Of the Meidan 

aaeeaamert will be to describe the proposed system in terms of its ability to prevent conannei* 

from accessing, without permission, MPAA members’ motion pictures that incorporate the 
System. The assessment will conclude after receipt and evaluation of the sensitive written 

material 

23 WRITTEN REPORT 

Following our total security vulnerability assessment, Mercian will provide a written report of 
findings. The fbcus of this report will be: (1) to assess the difficulty of compromiting the 
System; (?) to assess the difficulty of implementing a compromise of the S ystem by avenge 
owners of digital recording and playback devices, if a compromise w ere to be generally 
accessible; (3) to provide recommendations regarding security of the System resulting from our 
analysis and findings; (4) based upon your experience in evaluating encryption technologies, to 
explain if there are patent issues surrounding the System to which we shahm be alerted. 

2.4 DISTRIBUTION OF FINDINGS 

% 

The findings of the security vulnerability assessment and the resulting report will be distributed 
to the MPAA, alone. All findings, r e ports, opinions and disclosures shall be held in strictest 
confidence and shall be maintained on a “need to know" level. 
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3.0 SCHEDULE 

Merdan Group, Inc. Ii closed between 21 December 1 996 and 1 January 1 997 for the holid*>«. 

propoted schedule is totally dependent on Task start-up, Technical briefing; «ad Madia's 

rec«pt of sanative data as previously mentioned above. The initial milestones and tentative 
schedule for this task is as follows; 



a. 

b. 

c. 


d. 


e. 


f. 


8 - 


T»ak san-up, not later than Wednesday, 4 December 1996. 
Matsushita technical briefing on Thursday, 5 Decanber 1996. 


Merdan’s receipt of written sensitive data from Minshtta r*^ ,h« n j j 
1996. 


Security analysis completion not later than Friday, 20 December 1 996. 

Report of findings completed and sent to MPAA in overnight mail during the 

week of 6 January 1997. 

Conference call generated by MPAA to Marian, if necessary, for finding. 
discussion during week of 6 or 13 January 1997. 

Task ends, close of business an Friday, 10 January 1997. 


The schedule will slip day for day dependent upon achieving the milestones shown in 3.0 above. 
The key critical milestones are jl, b., and c. 


4.0 COST 


Merdan’s fined price for this Security Evaluation is $1 8,470. We do not omiHp ete any travel 

associated with this effort. However, in the event that travel is required, it will be billed at raw t 
plus 10% General and Administrative c ha r ges . 
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